The following is a description of the elements, types, and attributes that compose the MacOS specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here. The MacOS System Characteristics Schema was initially developed by The Center for Internet Security. Many thanks to their contributions to OVAL and the security community. The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. MacOS System Characteristics 5.8 9/15/2010 1:55:34 PM Copyright (c) 2002-2010, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. This item stores sser account information (username, uid, gid, etc.). The user associated with the information collected. Obfuscated (*****) or encrypted password for this user. The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file. Group ID of this account. User's real name, aka gecos field of /etc/passwd. The diskutil_item holds verification information about an individual disk on a Mac OS system. Each diskutil_item contains a device, filepath, and how the actual permissions differ from the expected permissions. For more information, see diskutil(8). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The device entity is a string that represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device. The filepath element specifies the absolute path for a file on the specified device. A directory cannot be specified as a filepath. Has the actual user read permission changed from the expected user read permission? Has the actual user write permission changed from the expected user write permission? Has the actual user exec permission changed from the expected user exec permission? Has the actual group read permission changed from the expected group read permission? Has the actual group write permission changed from the expected group write permission? Has the actual group exec permission changed from the expected group exec permission? Has the actual others read permission changed from the expected others read permission? Has the actual others read permission changed from the expected others read permission? Has the actual others read permission changed from the expected others read permission? An inet listening server item stores the results of checking for network servers currently active on a system. This is the name of the communicating program. This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6. This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6. This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this item. This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6. This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *. This is the process ID of the process. The process in question is that of the program communicating on the network. This is the transport-layer protocol, in lowercase: tcp or udp. The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program. Output of 'nvram -p' A nvram variabl. This is the value of the associated nvram variable. The plist_item holds information about an individual property list preference key found on a system. Each plist_item contains a preference key, application identifier or filepath, type, as well as the preference key's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The preference key to check. The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari). The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file. The type of the preference key. The value of the preference key. The pwpolicy_item holds the password policy information for a particular user specified by the target_user element. Please see the 'pwpolicy' man page for additional information. The target_user element specifies the user whose password policy information was collected. The username element specifies the username of the authenticator. The userpass element specifies the password of the authenticator as specified by the username element. The directory_node element specifies the directory node that the password policy information was collected from. Maximum number of characters allowed in a password. Maximum number of failed logins before the account is locked. Minimum number of characters allowed in a password. Defines if the password is allowed to be the same as the username or not. Defines if the password must contain an alphabetical character or not. Defines if the password must contain an numeric character or not. The EntityItemPermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with error conditions. The actual permission is more restrictive than the expected permission. The actual permission is less restrictive than the expected permission. The actual permission is the same as the expected permission. The empty string value is permitted here to allow for detailed error reporting. The EntityItemPlistTypeType complex type restricts a string value to the seven values CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray, and CFDictionary that specify the type of the value associated with a property list preference key. The empty string is also allowed to support empty elements associated with error conditions. The CFString type is used to describe a preference key that has a string value. The OVAL string datatype should be used to represent CFString values. The CFNumber type is used to describe a preference key that has a integer or float value. The OVAL int and float datatypes should be used, as appropriate, to represent CFNumber values. The CFBoolean type is used to describe a preference key that has a boolean value. The OVAL boolean datatype should be used to represent CFBoolean values. The CFDate type is used to describe a preference key that has a date value. The OVAL string datatype should be used to represent CFDate values. The CFData type is used to describe a preference key that has a base64-encoded binary value. The OVAL string datatype should be used to represent CFData values. The CFArray type is used to describe a preference key that has a collection of values. This is represented as multiple value entities. The CFDictionary type is used to describe a preference key that has a collection of key-value pairs. Note that the collection of CFDictionary values is not supported. If an attempt is made to collect a CFDictionary value, an error should be reported. The empty string value is permitted here to allow for detailed error reporting.